The first line populates the SAD database, based upon the data within the file /etc/ipsec.conf. From there, Racoon must negotiate a new key.

Shouldn't you populate the SPD, not the SAD? Its racoon's job to figure out the key, and the SPD entries describe when to invoke racoon.

A little while ago I got a Road Warrior configuration running, with SPD entries on my dynamic end... I still find the entire process mildly befuddling.

I think you shoud flesh out the interaction of the SPD and racoon. Then the second page of the article will be perfect.

*adds article to bookmarks*

Granted, this article is on FreeBSD, but I've been meaning to find some words on how ipsec interacts with iptables. It bugs me that ipsec mucks with routing without any entries in the routing table, or virtual devices to make the changes plainly known. I believe I end up marking esp packets on INCOMING, then check for the mark in other parts of the firewall after decryption.